JS: Avoid tracking classes into receiver of other classes

Author: asger-semmle

javascript/ql/src/semmle/javascript/dataflow/Nodes.qll

@@ -716,7 +716,11 @@ class ClassNode extends DataFlow::SourceNode {
     result = getAReceiverNode()
     or
     exists(DataFlow::TypeTracker t2 |
-      result = getAnInstanceReference(t2).track(t2, t)
+      result = getAnInstanceReference(t2).track(t2, t) and
+      // Avoid tracking into the receiver of other classes.
+      // Note that this also blocks flows into a property of the receiver,
+      // but the `localFieldStep` rule will often compensate for this.
+      not result = any(DataFlow::ClassNode cls).getAReceiverNode()
     )
   }